With the advent of new rules regulating the protection of personal data, companies with operations in Colombia must implement policies and practices to comply with Colombia's privacy law. In October 2012, Colombia enacted Law 15811 to regulate the protection of personal data and safeguard the constitutional right of privacy in the midst of the challenges posed by globalization and new technologies that enable the easy electronic transfer of personal data. On June 27, 2013, Colombia's executive branch issued Decree 1377,2 to implement various provisions of Law 1581. Decree 1377 went into effect immediately. This article discusses obligations arising under Law 1581 and Decree 1377, the steep potential sanctions for noncompliance, as well as recommendations for companies to ensure full compliance with the privacy law.
Law 1581 is part of a growing trend in Latin America to establish broad data protection regimes. As of this publication, Colombia joins Argentina, Costa Rica, Mexico, Peru and Uruguay in enacting such laws. Other countries in Latin America, such as Brazil, are considering similar legislation. U.S. multinationals with employees in Latin America should closely follow this trend.
The Constitutional Right of Privacy
Under the Political Constitution of Colombia of 1991, all citizens have an inviolate fundamental right to personal and familial privacy and to the protection of their good name. Until the enactment of Law 1581, Colombia's constitutional courts interpreted and enforced this right of privacy. However, companies were left to interpret the scope of these decisions when attempting to comply with the law.
In an apparent attempt to create a uniform legal framework for the protection of personal data, Law 1581 codifies the precedential judicial decisions on this topic and further imposes extensive requirements to ensure that public and private entities collecting, processing and/or transferring personal data do so without compromising citizens' privacy rights. Law 1581 also makes it clear that the right to access, correct and challenge the use of personal data extends to every person, regardless of age or gender, and every area of society, including the workplace.
Important Provisions of the Privacy Law
The privacy law imposes various obligations on any "responsible party" that directly or indirectly processes personal data about the data owner. Law 1581 defines the "responsible party" as the public or private individual or entity that processes the personal data or decides how the data should be processed or the database safeguarded. The data owner is the individual whose personal data is processed. The processing of personal data encompasses the collection, processing, storage, use, transfer or suppression of any information that can be associated with an identified or identifiable individual.
Since employers, as part of their normal course of business, typically collect and process the personal data of their prospective, current or former employees, employers should be especially mindful of the following important provisions under the law:
Privacy notice. Either in writing, verbally or...